diff --git a/.github/workflows/catalog-openstack-operator-upgrades.yaml b/.github/workflows/catalog-openstack-operator-upgrades.yaml
index 8b3bd77c3..0c8117ebe 100644
--- a/.github/workflows/catalog-openstack-operator-upgrades.yaml
+++ b/.github/workflows/catalog-openstack-operator-upgrades.yaml
@@ -29,34 +29,34 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4
         with:
           go-version: ${{ inputs.go_version }}
           cache: false
       - name: Checkout openstack-operator repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           path: ./openstack-operator
       - name: Get branch name
         id: branch-name
-        uses: tj-actions/branch-names@v9
+        uses: tj-actions/branch-names@5250492686b253f06fa55861556d1027b067aeb5 # v9
       - name: Set latest tag for non main branch
         if: "${{ steps.branch-name.outputs.current_branch != 'main' }}"
         run: |
           echo "latesttag=${{ steps.branch-name.outputs.current_branch }}-latest" >> $GITHUB_ENV
       - name: Install opm
-        uses: redhat-actions/openshift-tools-installer@v1
+        uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1
         with:
           source: github
           opm: 'latest'
       - name: Log in to Quay Registry
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
         with:
           registry: ${{ env.imageregistry }}
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
       - name: Log in to Red Hat Registry
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
         with:
           registry: registry.redhat.io
           username: ${{ secrets.REDHATIO_USERNAME }}
@@ -72,14 +72,14 @@ jobs:
           BUNDLE: ${{ env.imageregistry }}/${{ env.imagenamespace }}/openstack-operator-bundle:${{ github.sha }}
       - name: Buildah Action
         id: build-operator-index-upgrade
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
         with:
           image: openstack-operator-index-upgrade
           tags: ${{ env.latesttag }} ${{ github.sha }}
           containerfiles: |
             ./catalog.Dockerfile
       - name: Push openstack-operator-index-upgrade To ${{ env.imageregistry }}
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
         with:
           image: ${{ steps.build-operator-index-upgrade.outputs.image }}
           tags: ${{ steps.build-operator-index-upgrade.outputs.tags }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3e7e1ddad..2cc884a6b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -52,11 +52,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -84,6 +84,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/crd-size-badge.yaml b/.github/workflows/crd-size-badge.yaml
index 662d17b74..3f08b48eb 100644
--- a/.github/workflows/crd-size-badge.yaml
+++ b/.github/workflows/crd-size-badge.yaml
@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Install yq
-        uses: mikefarah/yq@v4
+        uses: mikefarah/yq@1b9b4ac5187171d2e5e3129be0cfa827c7f9d53d # v4
 
       - name: Compute CRD JSON size
         id: size
@@ -68,7 +68,7 @@ jobs:
 
       - name: Find existing comment
         if: github.event_name == 'pull_request_target'
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
         id: find_comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
@@ -77,7 +77,7 @@ jobs:
 
       - name: Post or update PR comment
         if: github.event_name == 'pull_request_target'
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
         with:
           comment-id: ${{ steps.find_comment.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -107,7 +107,7 @@ jobs:
 
       - name: Update badge gist
         if: github.event_name == 'push'
-        uses: schneegans/dynamic-badges-action@v1.7.0
+        uses: schneegans/dynamic-badges-action@0e50b8bad39e7e1afd3e4e9c2b7dd145fad07501 # v1.8.0
         with:
           auth: ${{ secrets.GIST_SECRET }}
           gistID: ${{ vars.GIST_ID }}
diff --git a/.github/workflows/crd-sync-check.yaml b/.github/workflows/crd-sync-check.yaml
index d4ed8f7b2..574664d31 100644
--- a/.github/workflows/crd-sync-check.yaml
+++ b/.github/workflows/crd-sync-check.yaml
@@ -32,7 +32,7 @@ jobs:
         echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         ref: ${{ steps.set_branch.outputs.branch_name  }}
 
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 67fac07f2..743e26c25 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -19,16 +19,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
         with:
           go-version: 1.24.x
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # this fetches all branches. Needed because we need gh-pages branch for deploy to work
           fetch-depth: 0
       - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.4.9'
 
       - name: Install Asciidoc
         run: make docs-dependencies
diff --git a/.github/workflows/kustom.yaml b/.github/workflows/kustom.yaml
index 85f542d9f..32b3a4adc 100644
--- a/.github/workflows/kustom.yaml
+++ b/.github/workflows/kustom.yaml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
         with:
           go-version: 1.24.x
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # this fetches all branches. Needed because we need gh-pages branch for deploy to work
           fetch-depth: 0
diff --git a/.github/workflows/lints.yaml b/.github/workflows/lints.yaml
index f02b1f013..769c34f53 100644
--- a/.github/workflows/lints.yaml
+++ b/.github/workflows/lints.yaml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: check for replace lines in go.mod files
         run: |
           ! egrep --invert-match -e '^replace.*/apis => \./apis|^replace.*//allow-merging$'  `find . -name 'go.mod'` | egrep -e 'go.mod:replace'
diff --git a/.github/workflows/release-openstack-operator.yaml b/.github/workflows/release-openstack-operator.yaml
index 9352417d7..9382aa672 100644
--- a/.github/workflows/release-openstack-operator.yaml
+++ b/.github/workflows/release-openstack-operator.yaml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
     - name: Tag image
-      uses: tinact/docker.image-retag@1.0.2
+      uses: tinact/docker.image-retag@684702232e2a3c29b4e5ca25d7d80f927d255c64 # 1.0.3
       with:
         image_name: ${{ env.imagenamespace }}/
         image_old_tag: ${{ github.sha }}
@@ -28,7 +28,7 @@ jobs:
         registry_password: ${{ secrets.QUAY_PASSWORD }}
 
     - name: Tag -bundle image
-      uses: tinact/docker.image-retag@1.0.2
+      uses: tinact/docker.image-retag@684702232e2a3c29b4e5ca25d7d80f927d255c64 # 1.0.3
       with:
         image_name: ${{ env.imagenamespace }}/-bundle
         image_old_tag: ${{ github.sha }}
@@ -38,7 +38,7 @@ jobs:
         registry_password: ${{ secrets.QUAY_PASSWORD }}
 
     - name: Tag -index image
-      uses: tinact/docker.image-retag@1.0.2
+      uses: tinact/docker.image-retag@684702232e2a3c29b4e5ca25d7d80f927d255c64 # 1.0.3
       with:
         image_name: ${{ env.imagenamespace }}/-index
         image_old_tag: ${{ github.sha }}